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Abstract 

To the active-basis-choice decoy state quantum key distribution systems with detector efficiency mismatch, we present a 
modified attack strategy, which is based on faked states attack, with quantum non-demolition measurement ability to restress 
the threat of detector efficiency mismatch. Considering that perfect quantum non-demolition measurement ability dosen’t 
exist in real fife, we also propose a practical attack strategy using photon number resolving detectors. Theoretical analysis 
and numerical simulation results show that, without changing the channel, our attack strategies are serious threats to decoy 
state quantum key distribution systems. The eavesdropper may get some information about the secret key without causing 
any alarms. Besides, the lower-bound of detector efficiency mismatch to run our modified faked states attack successfully 
with perfect quantum non-demolition measurement ability is also given out, which provides the producers of quantum key 
distribution systems with a reference and can be treated as the approximate secure bound of detector efficiency mismatch in 
decoy state quantum key distribution systems. 
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1. Introduction 


Quantum key distribution (QKD) ensures the security of secret key exchange between two separated parties, known 
as Alice and Bob. It is based on the fundamental laws of physics and has been proved to be unconditionally secure mm- 
However, the devices of practical QKD systems are not perfect. The eavesdropper, known as Eve, can always take advantage 
of these loopholes to get information about the secret key. One loophole happens in the weak coherent state source. There 
may be more than one photon in a pulse, which leads the system vulnerable to an attack named photon number splitting 
(PNS) [3]. Although it is nearly impossible to perform perfect PNS attack with prior technology, it is still a big potential 
threat to the practical QKD systems. In 2011, a simplified PNS attack was implemented successfully [J]. To resist PNS 
attack, the idea of decoy state method was proposed EHS], which is widely used in practical QKD systems. 

Another loophole named detector efficiency mismatch (DEM) widely exists in practical QKD systems. There are always 
at least two separate gated single photon avalanche detectors for “0” and “1” values on Bob’s side. In the ideal model, the 
two detectors’ efficiency curves are assumed to be perfectly matched. However, it is not like that in real life. There is a 
probability of approximately 4% that large DEM occurs in practical QKD systems [5]. Besides, Eve can also induce a large 
temporal DEM by interfering the calibration of the detectors m- 

Faked states attack (FSA) [11] is an intercept-resend attack, which works due to the existence of large DEM. Eve randomly 
chooses her measurement basis, then prepares the opposite bit value in the opposite basis according to her measurement 
results and resends the faked states to Bob at different time, denoted as tg ^nd ti. Bob’s detectors barely click when his 
measurement basis choice is different from Eve’s. In reality, to maintain Bob’s overall detection probability the same as that 
before mounting this attack. Eve uses a weak coherent state source and increases the brightness of her faked states uni ED. 

Time-shift attack also exploits DEM PESj. In this attack. Eve shifts the arrival time of each of Alice’s pulse forward 
or backward as she wishes. By this method. Eve can determine the detection results with large probability and introduce no 
additional error. However, comparing with FSA, one drawback of time-shift attack is that it can only compensate the decrease 
of Bob’s detection probability by changing the transmission of the channel, which means that Eve may be discovered when 
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the transmission distance is too short. Besides, changing the transmission of the channel is not as convenient as changing 
the brightness of the faked states in FSA. 

Insufficient models of single photon detectors are also serious threats to the security of practical QKD systems, which can 
be attacked by blinding the detectors with bright illumination [HHiH]. When the detectors are blinded, they only respond to 
the bright pulses. In a modified intercept-resend attack with strong resent pulses, the eavesdropper can control the responses 
of the detectors to get a full copy of the secret key. This kind of attacks would be a serious concern for practical QKD 
systems. Fortunately, protections against bright illumination attacks on gated avalanche photodiodes by correctly operating 
them were proposed in 2011 |19j . 

In Ref. [12], it gave out an idea to mount FSA on weak coherent state source with quantum non-demolition (QND) 
measurement ability. However, perfect QND measurement ability doesn’t exist in reality. To make FSA on decoy state QKD 
more practical, we can use photon number resolving detectors (PNRDs) instead. 

PNRDs are widely used in linear optical quantum computing |20| and quantum information processing OUT]. There are 
several types of mechanisms used to construct PNRDs [22ll26j . Each mechanism has its own advantages and disadvantages 
m- Without 100% single-photon detection efficiency, PNRDs can not tell the exact photon number of each incident pulse 
and the measured photon number is just a lower estimate. The single-photon detection efficiency should be as large as 
possible in order to maximize the probability of detecting all the photons in the incident pulse. 

FSA on single photon QKD was studied in Ref. m, but quantitative analysis on decoy state QKD has not been done 
yet. Security of QKD systems with DEM was analyzed in jSSHSO]. The results showed that DEM must be bounded to ensure 
the security of QKD systems. In Ref. [29], the secure key generation rate formula that took DEM into account was provided 
and the secure bound of DEM in single photon QKD was also given out. However, the secure bound of DEM in decoy state 
QKD has not been presented because of its complexity. What’s more, the secure key generation rate formula presented in 
Ref. [25] is not practical in reality because it will decrease the key generation rate. 

In this paper, we attack decoy state QKD systems with DEM to restress the threat of DEM. First, we present a modified 
strategy, which is based on FSA, with the ability to do QND measurement. We also provide the lower-bound of DEM to 
run FSA successfully on decoy state QKD systems, which can be treated as the approximate secure bound of DEM in decoy 
state QKD. Since perfect QND measurement ability doesn’t exist in real life, we find that it’s also possible to perform our 
attack strategy with PNRDs. The attack strategy is exemplified using weak -|- vacuum decoy state BB84 [3T] QKD here. 

Measurement-device-independent QKD protocol was proposed to defense all side-channel attacks on the loopholes of 
practical detectors in 2012 [32]. However, this protocol is difficult to realize in real world and its key generation rate (about 
10bps at 100km [33]) is much lower than the traditional decoy state BB84 protocol (about 10kbps at 100km [34]), which 
limits its application in practical QKD systems. So our work to attack on decoy state QKD systems is still meaningful. 

This paper is organized as followed. In Sec. 2 we grant Eve a future technology named QND measurement ability to 
mount FSA on decoy state QKD. The attack strategy is described and numerical simulation is done. We also present the 
lower-bound of DEM to successfully attack with perfect QND measurement ability, which gives the producers of practical 
QKD systems a reference. In Sec. 3 we consider a more practical situation that Eve mounts FSA with PNRDs on decoy 
state QKD. The security of decoy state QKD under this attack is analyzed in Sec. 4. Finally, discussion and conclusion are 
made in Sec. 5. 

2. Attack with Perfect QND Measurement Ability on Decoy State QKD Systems 

In this section, we will give out an attack strategy based on FSA on decoy state QKD with the assumption that Eve 
has the ability to do perfect QND measurement. The attack strategy is described, then results of numerical simulation are 
given out. 

2.1. Attack strategy 

If Eve wants to perform attack on decoy state QKD systems successfully, one possible way is to keep the key generation 
rate R and the overall detection probability close to the data before mounting the attack, so QBER is naturally lower 
than the threshold at the same time. In this way. Eve can get information about the secret key while she is hidden. 

Fig. 1 shows the simple diagram of the attack strategy. With perfect QND measurement ability, Eve can get the photon 
number information of every incident signal. According to the measured photon number. Eve controls the optical switch to 
mount FSA on those signals that contain only one photon. 
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Figure 1: Simple diagram of our attack strategy that Eve has QND measurement ability. PN, photon number; OS, optical switch; SP, single-photon 
signal; MP, multi-photon signal; X/Z, active basis choice. 


Usually, those signals that contain more than one photon can be passed undisturbedly to Bob or eavesdropped on using 
PNS attack or just blocked. In Ref m, it proposed the idea to mount FSA on weak coherent state source by letting all 
multi-photon signals be passed undisturbedly. But we find that it’s the best way for Eve to block all the multi-photon signals. 
The benefits of this strategy are that, first of all, the secure key of QKD with weak coherent state source all comes from 
signals that contain no more than one photon. Blocking all the multi-photon signals will increase the lower-bound of the 
gain of single-photon signals, Qi^. We can get this conclusion by expanding Eq. 35 in ref. [S]. The expansion is as follow: 


Qi 


L 


/ii/ — 1/2 * i\ 


where p is the average photon number of signal state, v is the average photon number of decoy state, and Yi is the yield 

of an i-photon pulse. It is easy to get Qi diminishing with i, because —L jg non-positive when i>2. Blocking 

all the multi-photon signals makes i=l or 0, thus increases Qi^. A higher Qi^ leads to a higher secure key generation rate 
which is good for Eve. Second, the idea of letting those multi-photon signals be passed undisturbedly will make a small part 
of the key unavailable, but our strategy will not, which is the same as the idea of eavesdropping the multi-photon signals 
using PNS attack. 

In order to maintain the overall detection probability of Bob’s detectors, Eve uses weak coherent state source to generate 
faked states. The average photon number of the faked states sent by Eve at to (^i) is t^o(Mi)- According to Ref. [10], the 
detection probability of faked states on Bob’s detector “0”, and “1”, pi), are: 

Po{po, pi) = 0.75 -b 0.25d - 0.25(1 - -b -b (1) 

pi(;xo,/ii) = 0.75-b0.25(i-0.25(1 - d)(e-°'5'^‘>’'i'> -b -b (2) 

where rjmn, m,n€{0,1}, represents the equivalent overall transmission and detection efficiency between Alice and Bob’s de¬ 
tector m at time t„. d is the dark count probability of Bob’s detectors. 

The total detection probability of faked states on Bob’s detectors Parrive{^J-o^ ^J-l) is 

Parr^veipo, t^i) = 1 ” 0.25(1 - + 0.25d(l - d) 

X (g-//i/;oi _|_ g-Z/Q/iio j _ 0.25(1 — d)2j^g-0.5/io/?oo-0.5/io//io _|_ g-0.5/xir;oi-0.5/ii?7ii^^ 

And the error rate of faked states Perroripo^ Pi) is 

Perroripo, Pi) = 0.125(1 - d)(g-0-5//or/oo + g-0.5/.ir)ii _ ^-0.5iJ.oVio _ g-0.5//ir,oi _ g-//ir,oi _ g-//o>?io) 

-0.125(1 - d)2(g-0-5Mor;oo-0.5/xo»?io + g-0.5Mi/7oi-0.5A/imi) + 0.125d(l - d)(e-^i''«i -b e-^'>’’i«)-b0.5. 

In our attack strategy with QND measurement ability, the overall detection probability of signal state on Bob’s detectors 
includes the detection probability of faked states resent by Eve and the dark count probability, that is 


Q fi — Parrive (po,Pi)pe ^ + {1- pe ^)d. 

Similarly the detection rate of the decoy state with an average photon number of v is 


Qv — ParriveiPO: Pl)'^^ “b (1 VC )d. 


3 








































The error rate contains the error probability of faked states and the error probability from dark count, so we have 


Ef_,Qfj,=Perror{po,fJ-l)lJ-e- ^ + -{I - fie ^)d. 

And the overall QBER after attack is given by 

p 

"" 0. ■ 

Eve is able to control three parameters. They are po, pi and the maximum value of DEM denoted as fc, where k=r]QQlr\\Q=r\\\l ryoi 
and r]oo='r]ii- In order to keep the detection probability of Bob’s “0” and “1” detectors equivalent, according to Eqs. (1), 
(2), we can assume that pQ=pi=p'. Alice and Bob use the following formulas 


yi^ = 


py — 




p^-v’^ 


p^ 


d), 


= pe-^Y,^, 

JJ EyQyC'’ - \d 
Yi V 

to estimate the lower-bound of the gain of single-photon signals Qi^ and the upper-bound of the error rate of single-photon 
signals ei^. According to the idea of GLLP, they can get the lower-bound of the key generation rate R, which is given by 


R > q{-Q^f{E^)H2{E^) + Qf [1 - i?2(ef)]}, 

where q= f{x) is the bidirectional error correction efficiency, H 2 {x) = —xlog 2 X — (1 — x)log 2 {l — x) is the binary Shannon 
information function. 


2.2. Numerical simulation 

The numerical simulations in this paper use some GYS |35j experiment parameters, including the loss coefficient in the 
quantum channel a = 0.21dB/km; the dark count probability d=1.7 x 10“®; the transmittance in Bob’s side rjBob =0.045; 
the average photon number of the signal state p = 0.48; the average number of the decoy state v = 0.05; the bidirectional 
error correction efficiency is 1.22. We also assume that fc<1000, ryoi=tyiB??Bo6xlO“^(these two assumptions are reasonable 
and they can be achieved in reality uni), where Iab is the channel transmittance. edetector=^ is also assumed to simplify our 
calculation processing, which means no photon hits the erroneous detector. 


X 10“^ 



Figure 2: The relationship of ij, k and fi' when Eve has perfect QND measurement ability. 
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For a fixed transmission distance of 100km, when Eve has perfect QND measurement ability, Fig. 2 shows the relationship 
of i?, k and p,' when R is positive and it is ignored when R<0 . We can figure out that R rises along with k and n', and there 
are many combinations of k and /r' for the same R. Besides, when k is small enough, R is negative no matter how large /r' is. 

So it is easy to find a tuple [k, that makes our attack successful with perfect QND measurement ability, such as 
fc=310, ^'=300. Fig. 3 gives out the comparisons of R and 




Figure 3: (color online). (a)The solid line shows the key generation rate without attack. The dotted line shows the key generation rate under our 
attack with perfect QND measurement ability. Here assuming that edetector=0, so the secure transmission distance extends from 140km to 160km. 
(b)The solid line shows the detection probability of signal state without attack. The dotted line shows the detection probability of signal state 
under our attack with perfect QND measurement ability. We have to note that legitimate users do not take DEM into account when calculating 
the key generation rate and the detection probability without attack. 


From Fig. 3, we can see that when Eve has perfect QND measurement ability, R and under our attack are both very 
close to the normal value. So Eve stays undetected. We have to notice that the numerical simulation above uses fc=310, not 
the maximum value 1000. As we enlarge the value of k, the attack effects will be better. 

Although the lager k is, the better attack effects Eve will get, we are still concerned about the minimum value of k, 
which is set as kmim to make R positive in ideal situation that Eve has perfect QND measurement ability. Fig. 4 shows 
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the relationship between kmin and the transmission distance L. kmin rises with L, and when kmin is larger than 35, FSA 
on decoy state QKD is possible in ideal situation. This provides a reference for the producers of QKD systems. If they can 
improve the calibration process to guarantee the DEM below 35, FSA will no longer be a threat to decoy state QKD. In 
other words, the result of 35 can also be treated as the approximate secure bound of DEM in decoy state QKD systems. 



Figure 4: The relationship between kmin L 


3. Practical Attack with PNRDs on Decoy State QKD Systems 

In Sec. 2, we consider the situation that Eve has perfect QND measurement ability, which doesn’t exist in the real world. 
In this section, we will discuss a more realistic situation that Eve only has PNRDs. We present our attack strategy first, and 
show numerical simulation results later. 

3.1. Attack strategy 



Figure 5: Simple diagram of our attack strategy with PNRDs. Eve and Bob use active basis choice here. X/Z, active basis choice; DO, photon 
number resolving detector 0; Dl, photon number resolving detector 1; FS, faked states source. 


Fig. 5 shows the simple diagram of our practical attack strategy with PNRDs. Eve attacks the system with active basis 
choice at a place close to Alice. She uses two PNRDs for “0”, “1” bit value, and gets the “photon number” of every incident 
pulses by calculating the summation of the detection results of two detectors, which can not be achieved by using single 
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photon detectors. In our attack strategy, Eve mounts FSA only when her measurement results are single-photon signals, and 
the corresponding probability of signal state is 


OO 

Psingle — ^ 
i=l 




where rj is the single-photon detection efficiency of Eve’s PNRDs, p{i) = is the probability of z-photon signal. The 

dark count probability of Eve’s PNRDs is ignored because it’s much smaller than psingle- There are several benefits of this 
strategy. First, this strategy may partially distinguish the multi-photon signals and block them. Second, Eve can get most 
of the information about the secret key, and this strategy is easy to perform. At last, “double-click” means that Eve’s basis 
choice is different from Alice’s, and it should be discarded to benefit Eve. Mounting FSA only when Eve’s measurement 
results are single-photon signals eliminates the influence of “double-click”. 

Similar with the attack strategy in Sec. 2, we can get the overall detection probability of signal state on Bob’s detectors: 

Qg. = ParriveiPO, + (1 “ PVe~'"'^)d. 

The detection rate of the decoy state with an average photon number of v is 

Qv — Parrivei^POt -j- (1 VTJC 

The error rate is ^ 

ddjgQg — Perrori^PO ^ Pl^PV^ 2 

And the overall QBER after attack is given by 

p _ ^gQg 


3.2. Numerical simulation 

Here we take fc=1000, p'=900 and 77 = 0.1 [36j. Fig. 6 gives out the comparisons of R and when attacking with 
PNRDs. 
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(a) 



Figure 6 : (color online). (a)The solid line shows the key generation rate without attack. The dotted line shows the key generation rate under our 
attack with PNRDs that » 7 = 0 . 1 . (b)The solid line shows the detection probability without attack. The dotted line shows the detection probability 
under our attack with PNRDs that 77 = 0 . 1 . 

As shown in Fig. 6 , when L>30 km, R and under our attack are both very close to the normal value. So Eve remains 
hidden. The deviation from theoretical values is large only when the transmission distance is shorter than 30km. This is 
because the channel transmittance is large when the distance is short, which makes the expectation detection probability 
large. What’s more, large average photon number of faked states causes large overall error rate, and makes R lower than 
legitimate users’ expectation. 

The measurements in the attack strategy with perfect QND ability can be separated into two parts. The first one is the 
photon number measurement, and the other is the measurement when mounting FSA. However, our strategy with practical 
PNRDs can put these two parts together which measures the photon number and does the measurement in FSA at the same 
time. It is also the reason why our strategy is interesting. When 77 = 1 , Eve is able to mount FSA on all the single-photon 
signals and block all the multi-photon signals which is exactly the same with that using perfect QND measurement ability. 
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4. The Security Analysis 

Eve’s attack with QND measurement ability is always better than that with PNRDs. When Eve attacks with PNRDs 
whose ry is not 1, she can only distinguish part of the single-photon signals. To maintain the same as Bob’s expectation, 
the average photon number of faked states should be larger than that attacking with perfect QND measurement ability. 
However, larger average photon number of the faked states leads to larger error rate, which decreases the key generation rate. 

Here we analyze the security of the strategy that Eve attacks with PNRDs as an example. In our attack strategy. Eve 
might steal some information about the secret key without being detected. However, she can not get all of the key. When 
Eve’s measurement basis is different from Alice’s and Bob’s, legitimate users may share some absolutely secure key while Eve 
doesn’t know, which is represented by Rabsoiute- To explain Rabsoiute in detail, we give out an example that Alice prepares 
bit 0 in the Z basis and Bob measures in the Z basis, while Eve measures in the X basis. When Eve’s measurement result is 
bit 1, according to the FSA theory, the faked state resent by Eve is bit 0 in the Z basis and Bob will get bit 0 as a result. 
Although the probability of this kind of cases is very small, Alice and Bob will share some absolutely secure key. Using the 
similar idea in Ref. m we can get Table 1, from which Rabsoiute can be calculated. 


Table 1: Given that Alice prepares bit 0 and 1 in the Z basis and that Bob measures in the Z basis, Eve measures in X basis to mount FSA. The 
first column contains Alice’s bit value. The second column shows Eve’s measurement result. The third column shows the parameters of the faked 
state resent by Eve: basis, bit, mean photon number, timing. The fourth column shows Bob’s measurement result; 0 D 1 denotes a double click. 
The last column shows the corresponding detection probabilities. 


Z->. 

— >-Eve 

Eve— 

Bob’s result 

Detection probability 

0 or 1 

0 


0 

0 

II 

0 




1 

Cl = 1 - exp[-iJ.orii{to)] 




0 n 1 

rori 




Loss 

1 - (co -f Cl - CqCi) 

0 or 1 

1 

Z,0,/j-i ,ti 

0 

So = 1 - ea:p[-pi77o(ti)] 




1 

Si = 0 




0 n 1 

SqSi 




Loss 

1 ~ (-^0 + Si — SqSi) 


There are two situations that will induce Rabsoiute- One is that Alice prepares in the Z basis. Bob measures in the Z 
basis and Eve measures in the X basis. The other is Alice prepares in X basis. Bob measures in the X basis and Eve measures 
in the Z basis. The probability that the two situations above occur is From Table 1, in the first situation, the absolutely 
secure key rate is ^{ri -I- Sq). Similarly, the absolutely secure key rate in the second situation is the same. The probability 
that we mount FSA is So we can get the overall absolutely secure key between Alice and Bob is 

Rabsoiute = X I X ^(ri -h So) = -j- sq). 

According to the decoy state theory, if the key generation rate R is larger than Rabsoiute, it means that Eve can always get 
some information about the key. Here we take 77 = 0.1 to do numerical simulation. 

The result is shown in Fig. 7. As we can see, Rabsoiute is always smaller than i?, which means Eve can always get 
information about the key while she is hidden. So the overall security of decoy state QKD is broken. 
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Figure 7: The dashed line represents the key generation rate R and the dotted line shows the relationship between Rabsoiute L. 


5. Discussion and Conclusion 

In this paper, to the decoy state QKD systems with active basis choice, we give out a modified attack strategy with 
perfect QND measurement ability to restress the threat of DEM. We also propose a more practical attack strategy using 
PNRDs as perfect QND measurement ability dosen’t exist in the real world. In our attack strategy, Eve blocks all the 
multi-photon signals and only mounts ESA when her measurement results are single-photon signals. We find that Eve can 
maintain the key generation rate R and the detection probability close to the data without being attacked, and keep 
the QBER low at the same time. So Eve can remain undetected. The security analysis shows that the eavesdropper could 
always get information about the key without being detected, so the overall security of practical decoy state QKD systems 
is broken. We also present the lower-bound of DEM (about 35) to mount FSA successfully with perfect QND measurement 
ability on decoy state QKD systems, which can be treated as the approximate secure bound of DEM. 

In conclusion, by mounting our practical attack strategy on the active-basis-choice decoy state QKD systems with no 
corresponding protections, the eavesdropper is able to get information about the secret key while she is hidden. 
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